CVE-2020-14148: Release ngIRCd 26~rc2 · ngircd/ngircd

ngIRCd 26~rc2 (2020-06-11)

The ChangeLog lists the following changes since ngIRCd 26~rc1:

• Add AppStream metadata file (contrib/de.barton.ngircd.metainfo.xml).

• Don’t send invalid CHANINFO commands when a channel has mode +k set but no key is known to the server. This can happen with a misconfigured predefined channel, for example, and looked like this:

  Note the unset key represented by the two spaces. Fix this by sending a * in this case and update the CHANINFO documentation, too.

• ngircd.spec: Fix names of README.md and INSTALL.md, add .md extension.

• Update description texts in the README.md file, the RPM and Debian package files and the manual page: bring them in line with the updated homepage.

• Server-Server protocol: Fix use-after-free when unregistering a directly connected server sending a SQUIT for itself.

• Server-Server protocol: Detect bogus SERVER commands lacking a prefix. Thanks Hilko Bengen (hillu) for finding & reporting this as well for the patch & pull request (even if fixed differently).
  Closes #275.

• Fix the PING-PONG logic: In ngIRCd 26~rc1 this was completely broken (while trying to fix timeouts during server handshakes in bigger networks): the daemon never disconnected any stale peers but kept sending out PINGs over and over again …

• Test suite: Add missing files needed to test SSL support to EXTRA_DIST, so that they are included in distribution archives: in rc1, “make check” fails when using sources from an archive and enabling SSL support. Thanks to Hilko Bengen [email protected] for the patch!